Configure Okta as a CA with static SCEP challenge for Windows using Workspace ONE

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted Windows devices. This topic describes how to create a static Simple Certificate Enrollment Protocol (SCEP) profile in Workspace ONE and generate a SCEP URL in Okta.

If you're using Workspace ONE, use static SCEP. Workspace ONE has known issues with dynamic SCEP.

To configure a delegated (dynamic) SCEP challenge type for Windows using Microsoft Intune, see Configure Okta as a CA with delegated SCEP challenge for Windows with MEM

Before you begin

Make sure that you have access to the Okta Admin Console.

Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate. All MDM SCEP policies should be configured to allow for profile redistribution.

Start this procedure

Configure management attestation and generate a SCEP URL and a secret key in Okta

  1. In the Okta Admin Console, go to SecurityDevice integrations.

  2. Click the Endpoint management tab.

  3. Click Add platform.

  4. Select Desktop (Windows and macOS only).

  5. Click Next.

  6. On the Add Device management platform page:

    1. Select Use Okta as certificate authority as the Certificate Authority.

    2. Select Static SCEP URL as the SCEP challenge type.

    3. Click Generate.

    4. Copy and save the Okta SCEP URL and the Secret key. You'll enter these values into Workspace ONE when you create a static SCEP profile.

      Save the SCEP URL and Secret key. This is the only time that they appear.

  7. Click Save.

In Okta, download the x509 certificate

The x509 certificate you download from Okta is the Organization Intermediate certificate.

  1. In the Admin Console, go to SecurityDevice integrations.

  2. Select the Certificate authority tab.

  3. For the Okta CA Certificate Authority, click the Download x509 certificate icon in the Actions column.

    You'll upload the certificate to Workspace ONE when you define a device profile.

In Workspace ONE, create a static SCEP profile

Configure the Okta CA as a Certificate Authority in Workspace ONE so you can deploy certificate profiles through the management channel.

  1. If not already, log in to Workspace ONE as an administrator.

  2. In Workspace ONE, click DEVICES (left ribbon bar).

  3. Click CertificatesCertificate Authorities.

  4. Click + ADD.

  5. On the Certificate Authority - Add/Edit page, enter the following:

    • Name: Enter a name for the CA.

    • Description: Optional. Enter a description for the CA.

    • Authority type: Select Generic SCEP.

    • SCEP Provider: Basic is entered automatically and can't be changed.

    • SCEP URL: Copy and paste the SCEP URL from when you generated a SCEP URL and a secret key.

    • Challenge Type: Click STATIC.

    • Static Challenge: Copy and paste the Secret Key from when you generated a SCEP URL and a secret key.

    • Confirm Challenge Phrase: Copy and paste the Secret Key from when you generated a SCEP URL and a secret key.

    • Retry Timeout: Accept the default value of 30.

    • Max Retries When Pending: Accept the default value of 5, or specify a different number of retries the system allows while the authority is pending.

    • Enable Proxy: Accept the default value of DISABLED or select ENABLED if appropriate for your environment. If you select ENABLED, Workspace ONE UEM acts as a proxy between the device and the SCEP endpoint defined in the CA configuration.

  6. Click TEST CONNECTION. If you select SAVE before TEST CONNECTION, the error Test is unsuccessful appears.

  7. After the Test is successful message appears, click SAVE AND ADD TEMPLATE.

    If the test fails, make sure that you can access the Okta SCEP URL from when you generated a SCEP URL and a secret key.

In Workspace ONE, Add or edit a Certificate Template

In this task you'll add a CA request template after you create a static SCEP profile.

  1. In Workspace ONE, select the Request Templates tab.

  2. Click + ADD.

  3. On the Certificate Template - Add/Edit page, enter the following:

    • Name: Enter a name for the template.

    • Description: Optional. Enter a description for the template.

    • Certificate Authority: Select the CA that you created in create a static SCEP profile.

    • Issuing Template: Leave blank or configure as appropriate for your implementation.

    • Subject Name: Enter a subject name. For example, CN = {EmailAddress} managementAttestation {DeviceUid}.

      Okta doesn't require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Workspace ONE to include the device ID (UDID) and user identifier. For a list of supported variables, see Workspace ONE document Workspace ONE Lookup Values.

    • Private Key Length: Select 2048.

    • Private Key Type: Select Signing.

    • SAN Type: N/A.

    • Automatic Certificate Renewal: Click ENABLED.

    • Publish Private Key: Click DISABLED.

  4. Click SAVE.

Define a device profile to deploy the Okta Intermediate CA to the Intermediate Store on devices

  1. In Workspace ONE, click RESOURCES (left ribbon bar).
  2. Click Profiles & BaselinesProfiles.
  3. Click ADD, and then select Add Profile.
  4. Select WindowsWindows DesktopDevice Profile.
  5. On the General page, enter the following:
    • Name: Enter a name for the device profile.
    • Description: Optional. Enter a description for the device profile.
    • Deployment: Select Managed.
    • Assignment Type: Accept the default or configure as appropriate for your implementation.
    • Allow Removal: Accept the default or configure as appropriate for your implementation.
    • Managed By: Enter the person or group with administrative access to the profile.
    • Smart Groups: Begin typing the name of the group and then select it from the list.
    • Exclusions: Exclude groups from the profile. Accept the default or configure as appropriate for your implementation.
    • Additional Assignment Criteria: Allows you to schedule a deployment schedule.
    • Removal Date: Specify a date when the profile is removed from the device.
  6. Click Credentials in the left pane.
  7. Click CONFIGURE.
  8. On the Credentials page, enter the following:
    • Credential Source: Select Upload.
    • Certificate: Click Upload and browse to the certificate you downloaded in Task 2.
    • Key Location: Accept the default or configure as appropriate for your implementation.
    • Certificate Store: Select Intermediate.
  9. Click SAVE AND PUBLISH.

Define a user profile to deploy the Okta CA-issued client certificate to the Personal Store on devices for management attestation

This task creates a management payload that pushes the client certificate information and credential to the client. This allows the client to connect to Okta and request a new client certificate. The client certificate is used for management attestation as part of Okta Verify-enabled flows.

  1. In Workspace ONE, click RESOURCES (left ribbon bar).

  2. Click Profiles & BaselinesProfiles.

  3. Click ADD, and then select Add Profile.

  4. Select WindowsWindows DesktopUser Profile.

  5. On the General page, enter the following:

    • Name: Enter a name for the user profile.

    • Description: Optional. Enter a description for the user profile.

    • Deployment: Select Managed.

    • Assignment Type: Select Auto.

    • Allow Removal: Select Always.

    • Managed By: Optional. Enter other admin names.

    • Smart Groups: Enter the same groups that you specified in Task 5.

    • Exclusions: Exclude groups from the profile. Accept the default or configure as appropriate for your implementation.

    • Additional Assignment Criteria: Allows you to schedule a deployment schedule.

    • Removal Date: Specify a date when the profile is removed from the device.

  6. Click Credentials in the left pane.

  7. Click CONFIGURE.

  8. On the Credentials page, enter the following:

    • Credential Source: Select Defined Certificate Authority.

    • Certificate Authority: Select the same Certificate Authority that you configured in Task 3.

    • Key Location: Select TPM If Present to support devices with or without TPM.

    • Certificate Store: Select Personal.

  9. Click SAVE AND PUBLISH.

On a Windows computer, verify the certificate installation

  1. On a Windows computer, verify that the client certificate was installed:
    1. On the Windows computer, click Start, and then type cert.
    2. Click Manage user certificates.
    3. Under Certificates - Current User, click PersonalCertificates.
    4. Make sure that the client certificate exists.
  2. Verify the Certificate Authority (CA):
    1. In Certificates - Local Computer, select Intermediate Certificate AuthorityCertificates.
    2. In the Issued To column, find Organization Intermediate Authority.
    3. Make sure that the Issued By column specifies Organization Root Authority for Organization Intermediate Authority.

Next steps